CoreOS is building a container runtime, Rocket

Interesting takeaways from the post:<p>* Despite Brandon Philips (CoreOS CTO) serving on the Docker governance board, Docker has aggressively expanded their scope well beyond their original container manifesto.<p>* CoreOS believes the Docker runtime is now too unwieldy and &quot;fundamentally flawed&quot;; the unwritten word that really sprung to mind was that Docker was getting &quot;greedy.&quot;<p>* CoreOS reaffirms their original operating model of being capable of running their infrastructure on and with Docker.<p>* Rocket is CoreOS&#x27;s answer to stay true to the &quot;simple composable building block&quot; mantra.

I have been concerned that Docker&#x27;s scope was expanding too far for a while now, so I&#x27;m glad to see an alternative that might work appear on the horizon. That said, I am somewhat concerned that CoreOS has a suspiciously similar business model to where Docker would probably like to be.<p>It&#x27;s in a business&#x27;s best interest, and exceedingly common practice, to &quot;land and expand&quot; with something clear and compelling, and following that add features to compete with alternative solutions. I don&#x27;t think there&#x27;s anything inherently altruistic about CoreOS that would keep Rocket lean in the long-run, especially as they begin migrating their various tools away from Docker containers.

I had just landed LXC container support in Velociraptor [1] when Docker was announced last year. It uses Supervisor to launch LXC containers and run your app inside. I thought long and hard about switching to Docker, but their decision to remove standalone mode [2] would have meant replacing all of Velociraptor&#x27;s Supervisor integration with Docker integration instead. With Docker being such a moving target over that time span, it just seemed like a bad move.<p>Since then I&#x27;ve been mulling writing my own standalone &#x27;drydock&#x27; utility that would just start a single container and then get out of the way (as opposed to the Docker daemon that insists on being the parent of everything). I&#x27;m optimistic that Rocket could be that thing.<p>Question though: Does Rocket have any concept of the image layering that Docker does? That still seems to me like a killer feature.<p>[1] <a href="https://bitbucket.org/yougov/velociraptor/" rel="nofollow">https:&#x2F;&#x2F;bitbucket.org&#x2F;yougov&#x2F;velociraptor&#x2F;</a> [2] <a href="https://github.com/docker/docker/issues/503" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;issues&#x2F;503</a>

I hope Rocket will be more stability oriented than Docker. After runing few hundreds containers on machine for almost a year know I would not chosen Docker again. Docker has stability issues all the time and it is taking months to solve them.<p>Offering strace logs to developers without feedback and finally it was fixed by someone from outside the project. <a href="https://github.com/docker/docker/issues/7348" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;issues&#x2F;7348</a><p>Allocating ports pops now and then every odd docker release: <a href="https://github.com/docker/docker/issues/8714" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;issues&#x2F;8714</a><p>Even stupidest things like allowing to have more dockerfiles in one folder. <a href="https://github.com/docker/docker/issues/2112" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;issues&#x2F;2112</a><p>Docker has own agenda and it is clearer and clearer.

Docker just posted a blog response<p><a href="http://blog.docker.com/2014/12/initial-thoughts-on-the-rocket-announcement/" rel="nofollow">http:&#x2F;&#x2F;blog.docker.com&#x2F;2014&#x2F;12&#x2F;initial-thoughts-on-the-rocke...</a>

Great news. I&#x27;m not a fan of Docker&#x27;s new monolithic approach to containerization. Things like orchestration and networking should not be included in docker, but rather pluggable.

The post mentions not having a daemon running as root, but then you have to run `rkt` as root anyway. Won&#x27;t this just mean that instead of having a single implementation of a Rocket daemon running as root, there is now one custom one every time it needs to be automated?<p>It&#x27;s great to see this problem broken up into reusable pieces though. It totally makes sense to function without a daemon, especially out of the box.

I found reading these comments very interesting.<p>From one point of view, I&#x27;m thinking &quot;why did coreos need to be so aggressive?&quot;, and &quot;boy, what a gift Solomon Hykes did to coreos by mismanaging this thing so badly&quot;, and &quot;man, all of these guys look sort of immature to me&quot;.<p>From the other point of view, I&#x27;m respecting docker and coreos even more, as open source projects and as a companies, because it feels like there are real people behind them.<p>If this is the new wave of enterprise companies, I really like it. These are people like us, that engage with us and sometimes screw up, without hiding it. They are doing great things, and the fact that they are a bit immature is actually great.<p>I&#x27;m an entrepreneur myself, I&#x27;ve done enterprise software my whole life, and I always thought it&#x27;s a shame that companies in this space are so distant from their users and have such little humanity.<p>Looks like things are changing.

Looking at the code[1] this seems to be a simple wrapper around systemd-nspawn[2]<p>[1]: <a href="https://github.com/coreos/rocket/blob/9ae5a199cce878f35a3be493a05bee915474b75e/stage1/container.go" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;coreos&#x2F;rocket&#x2F;blob&#x2F;9ae5a199cce878f35a3be4...</a><p>[2]: <a href="http://lwn.net/Articles/572957/" rel="nofollow">http:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;572957&#x2F;</a>

Rocket is tied to systemd, that will definitely spawn some interesting discussions. <a href="https://github.com/coreos/rocket/blob/9b79880d915f63e73891088fa3b7c32e98870914/stage1/init.go#L29" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;coreos&#x2F;rocket&#x2F;blob&#x2F;9b79880d915f63e7389108...</a>

Hi, I created Docker. I have exactly 3 things to say:<p>1) Competition is always good. Lxc brought competition to openvz and vserver. Docker brought competition to lxc. And now tools like lxd, rocket and nspawn are bringing competition to Docker. In response Docker is forced to up its game and earn its right to be the dominant tool. This is a good thing.<p>2) &quot;disappointed&quot; doesn&#x27;t even begin to describe how I feel about the behavior and language in this post and in the accompanying press campaign. If you&#x27;re going to compete, just compete! Slinging mud accomplishes nothing and will backfire in the end.<p>3) if anyone&#x27;s interested, here is a recent exchange where I highlight Docker&#x27;s philosophy and goals. Ironically the recipient of this exchange is the same person who posted this article. Spoiler alert: it tells a very different story from the above article.<p><a href="https://twitter.com/solomonstre/status/530574130819923968" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;solomonstre&#x2F;status&#x2F;530574130819923968</a> (this is principle 13&#x2F;13, the rest should be visible via Twitter threading)<p>EDIT: here is the content of the above twitter thread:<p>1) interface to the app and developer should be standardized, and enforced ruthlessly to prevent fragmentation<p>2) infrastructure should be pluggable and composable to the extreme via drivers &amp; plugins<p>3) batteries included but removable. Docker should ship a default, swappable implementation good enough for the 80% case<p>4) toolkit model. Whenever it doesn&#x27;t hurt the user experience, allow using one piece of the platform without the others.<p>5) Developers and Ops are equally important users. It is possible and necessary to make both happy.<p>6) If you buy into Docker as a platform, we&#x27;ll support and help you. If you don&#x27;t, we&#x27;ll support and help you :)<p>7) Protect the integrity of the project at all cost. No design decision in the project has EVER been driven by revenue.<p>8) Docker inc. in a nutshell: provide basic infrastructure, sell services which make the project more successful, not less.<p>9) Not everyone has a toaster, and not everyone gets power from a dam. But everyone has power outlets. Docker is the outlet<p>10) Docker follows the same hourglass architecture as the internet or unix. It&#x27;s the opposite of &quot;all things to all people&quot;<p>11) Anyone is free to try &quot;embrace, extend extinguish&quot; on Docker. But incentives are designed to make that a stupid decision<p>12) Docker&#x27;s scope and direction are constant. It&#x27;s people&#x27;s understanding of it, and execution speed, that are changing<p>13) If you USE Docker I should listen to your opinion on scope and design. If you SELL Docker, you should listen to mine.

Docker&#x27;s main focus is to &quot;get people agree on something&quot;. And they are doing great in getting traction and adoption. But if everyone starts to create their own flavor of containers, we still don&#x27;t get portability across servers and clouds. It would be better IMHO if Rocket implements the Docker API, or if they collaborate together in creating a minimal standard. Then everyone would benefit. I&#x27;m really curious how Solomon will respond to this...

So here&#x27;s my take on this. From the docs on github:<p><pre><code> The first step of the process, stage 0, is the actual rkt binary itself. This binary is in charge of doing a number of initial preparatory tasks: Generating a Container UUID Generating a Container Runtime Manifest Creating a filesystem for the container Setting up stage 1 and stage 2 directories in the filesystem Copying the stage1 binary into the container filesystem Fetching the specified ACIs Unpacking the ACIs and copying each app into the stage2 directories </code></pre> Questions:<p>Don&#x27;t all these steps seem like a lot of disk, cpu and system-dependency-intense operations just to run an application?<p>Why is this thing written in Go when a shell script could do the same thing while being more portable and easier to hack on?<p>Why are they saying this thing is composable when they just keep shoving features (like compilation, bootstrapping, configuration management, deployment, service autodiscovery, etc) into a single tool?

Docker has responded on their blog. <a href="https://news.ycombinator.com/item?id=8683276" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8683276</a>

I don&#x27;t see any mud slinging.<p>I&#x27;ve used Docker. And I am looking forward to Rocket. I will use both and I will compare without prejudice.<p>I personally like the idea of Rocket and am looking forward to more blog posts comparing the two!

As a heavy user of CoreOS and docker, I&#x27;m interested to see how this plays out.<p>My problems with docker have been the security model, for which the only recourse I&#x27;ve had is to use the USER keyword in my Dockerfiles. Furthermore, networking has been a pain point, which I&#x27;ve had to resolve by using host networking to access interfaces.<p>Let&#x27;s see how rocket deals with these issues and others. I pay for CoreOS support, so I&#x27;m glad to see that they&#x27;re addressing this.

Hmm, I played around with CoreOS for the past weeks, it was nice, I&#x27;m getting the hang of it. What is constantly difficult though is that there is no cross linking of containers (mysql database accessible from user@172.ip.add.r while the Nginx&#x2F;PHP-fpm docker is looking for a specific mysql ip addr). Restarting containers from images changes both IPs. Not handy. Why not always share a common &#x2F;etc&#x2F;hosts with all current containers (given name with current ip addr) in them?<p>I was also having some issues with php5-fpm in a docker, it doesn&#x27;t seem designed for it (it gets the file paths communicated from Nginx, not the files so dockers need to sync files)<p>Somehow I though CoreOS and Docker would be figuring this out together. I hope somehow that the knowledge I now have will remain relevant, I was planning a hosting service for sports clubs based on drupal8.<p>Ah well, we are at the beginning of an era, I should have expected this. I&#x27;m very curious, who knows, the container space is far from filled, we&#x27;ll be seeing many distros. There will be Gentoo&#x27;s, there will be Ubuntu&#x27;s. It&#x27;s going to be nice.

Has libcontainer[1] been considered as a minimal Docker alternative?<p>[1] <a href="https://github.com/docker/libcontainer" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;libcontainer</a>

it&#x27;s a very exciting time for Linux Containers. it&#x27;s been a fun to watch the evolution from BSD jails to lxc to docker, but the rate of innovation and usefulness is certainly accelerating. it sure seems like rocket&#x27;s approach will be much less of a black box than docker images&#x2F;registry, which should make it much more approachable to people trying to understand what linux containers are all about.

Improving the security model of docker is mentioned. Docker is known to be currently unsafe to run untrusted containers. Does anyone know yet if Rocket plans to support running untrusted containers safely, ala sandstorm.io?

That&#x27;s open source. The early implementation of an idea is broken. Someone creates an alternative which fixes the problems. The alternative often doesn&#x27;t gain the same traction and the original continues as the broken dominant implementation. But the alternative is also broken, but maybe in different ways. As design decisions pile on, the broken spreads. In the end, we again learn that software sucks. It will always suck. For people who don&#x27;t like reinventing the wheel (or relearning the reinvention) stick with the &quot;good enough&quot; and focus on building cool stuff.

This may be a noob question,<p>I&#x27;m looking into using containers for ui applications. I need to access GPU within the application. is this doable with Rocket or Docker?<p>Also does Rocket have to be used with CoreOS?

This looks very interesting - it&#x27;ll be really useful to have something like Docker that isn&#x27;t so monolithic - it should be much more composable in new ways.

How will App Container Images be built? I&#x27;m guessing that unlike Docker, the standard App Container build tool(s), if any, will be separate from Rocket.

Every open source project starts off so well, then the &quot;founders&quot; decide they want to be gazillionaires, and it&#x27;s all downhill from there.<p>Sad.

Out of curiosity (as I haven&#x27;t been using virtualized servers or anything for a number of years, and used to use ESXi on the racks back then, for Windows + Linux), is Docker that widely used?<p>Reading up on it, I can&#x27;t see how it is massively different to OpenVZ? Given Docker&#x27;s youth, is anyone still using OpenVZ over it? And why? I&#x27;m interested.

The underlying software coreos relys on is a tightly coupled implementation defined api, then arguing that docker isn&#x27;t following the &quot;Unix philsolphy&quot; is hilarious I wont touch coreos due to this. I also won&#x27;t touch docker due to its NIH syndrome of reinventing things, poorly.

I fail to see how Rocket is going to end any better than Docker.<p>It&#x27;s already tied to systemd-nspawn (though arguably you could make this pluggable to support other process babysitters).<p>Infact, Rocket as it stands is just a wrapper around systemd-nspawn and little else.<p>They harp on about this new ACI format but it isn&#x27;t really anything new and fails to solve the problems that currently face Docker format, which is a sufficient amount of metadata to properly solve the clustered application and networking problems.<p>I am all for things that do one thing and do them well, but right now Rocket is just systemd-nspawn which is just a more platform specific LXC in my opinion.<p>Note: I don&#x27;t necessarily agree with everything Docker is doing either, I just don&#x27;t think Rocket is a productive way to fix it.

Forget the interpersonal back-and-forth. My suspicion is that this is due largely because CoreOS (the company) does not their product completely dependent on another for-profit company&#x27;s platform (Docker). It&#x27;s just smart business.

I&#x27;m all for a new container runtime if it lets me start containers as a non-root user. Allowing non-root users to start containers would open up a whole new level of applications, particularly on multi-tenant HPC-style clusters.

I wonder if Ubuntu LXD will participate in this?

Interesting what the CoreOS team is building. If the code becomes as neat as some of the main parts of CoreOS, then this alone merits attention, we cannot have to much security.

The first thing that popped into my mind when I read this is <a href="http://xkcd.com/927/" rel="nofollow">http:&#x2F;&#x2F;xkcd.com&#x2F;927&#x2F;</a>

Great now people who were suppose to be living and working together are going to be at odds with one another casualty being the end user. Also windows is taking this platforming thing under their consideration too. Given their reach and funding I think it would be smart to band together so it would not turn out like it did in July 1993

awesome! this sounds like a great philosophical fork of docker, I&#x27;m excited to see this grow.

&gt;&gt;&gt; While we disagree with some of the arguments and questionable rhetoric and timing of the Rocket announcement, we hope that we can all continue to be guided by what is best for users and developers. &gt;&gt;&gt;<p>What does &quot;timing&quot; of the announcement mean?

Interesting that they&#x27;re talking about security when CoreOS has always had SELinux disabled?

I&#x27;ve excited for competition but unfortunately the post seems a bit confused in its message.<p>On one hand it talks about the original Docker manifesto and later says it was removed, with the removal being a &quot;bad&quot; thing. However, it refers to Docker not being simple as there are plans to add more and more features to it.<p>Including, &quot;wide range of functions: building images, running images, uploading, downloading, and eventually even overlay networking, all compiled into one monolithic binary running primarily as root on your server&quot;. However, in the original manifesto (that was removed), Docker announced&#x2F;claimed those features would&#x2F;should exist: <a href="https://github.com/docker/docker/commit/0db56e6c519b19ec16c6fbd12e3cee7dfa6018c5#diff-04c6e90faac2675aa89e2176d2eec7d8R12" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;docker&#x2F;docker&#x2F;commit&#x2F;0db56e6c519b19ec16c6...</a>.<p>Competition is good but this was a bit weak in its first appearance.

Would there be support for Socket Activation? (something that is still missing on Docker..)

Interesting branding. &quot;Rocket&quot; is basically only one letter different from &quot;Docker&quot;. That can&#x27;t be coincidental. Also has opposite implications - taking off vs settling in.

I&#x27;d like to highlight the following analysis:<p>&quot;Why Docker and CoreOS’ split was predictable&quot; <a href="http://bit.ly/1zMLYSt" rel="nofollow">http:&#x2F;&#x2F;bit.ly&#x2F;1zMLYSt</a>

Docker has a new competitor (wired.com) <a href="https://news.ycombinator.com/item?id=8682794" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8682794</a>

For those who are already familiar with the Rocket offering, can you ELI5 what the differences are and what they may mean for container portability?

Congrats on the release, I look forward to seeing what you guys do with this

really marked of your discussion to me ,a white to what is UNIX philosophy ,either the dockers !Guys from China longing for theway of LINUX or UNIX culture!

Any plans to &quot;support&quot; Dockerfiles in any way?

coreOs is the name of the apple operating systems department. feels weird to read that around

Thank god.

good.

This is how Linux fragments, and ultimately dies as the Linux we know.<p>I&#x27;m not really making a value judgement, just an observation.